The House Science, Space and Technology Committee is questioning whether foreign nationals may have had direct access to sensitive Office of Personnel Management data before a historic OPM hack attack was disclosed last summer.

The agency recently told federal auditors that nation state-sponsored cyberattacks are the gravest and most common threat to its IT security.

“In other words, an agency that identifies foreign nations as the source of the most serious and frequently occurring threat either failed to realize that foreign nationals had access to its database, or knew it and failed to correct the situation,” committee Chairman Rep. Lamar Smith, R-Texas, said in a July 19 letter to the administration.

Last July, OPM announced adversaries had copied national security background checks and personnel records containing 21.5 million people’s Social Security numbers and other private data. Security researchers and U.S. intelligence officials have said the theft likely was a Chinese spy operation.

He says that, reportedly, some OPM contractors may have handed ”foreign governments direct access to data long before the recent reported breaches.”

Allegedly, an administrator for a project was in Argentina, while his co-worker was physically located in China, Smith says. Both individuals had sweeping “root” access to every row of data in every database, he continues.

Separately, there were reports that two employees with passports from China led a team working on the database, Smith says.

The backdrop for the lawmaker’s inquiry is a Government Accountability Office report released in June that found OPM and other agencies that run “high-impact” systems, which, if disrupted, could cause catastrophic harm, still do not always use effective access controls.

The most severe and most frequent avenues of attack against high-impact systems were through email, the web, or an employee’s improper use of technology, the auditors said.